Article by
Gildas Jones

The National Cyber Security Centre reports that 2017 was a landmark year with its increase in cyber-attacks on British firms. Meanwhile, the Cyber Security Breaches Survey 2019 found that 32% of businesses recorded security breaches or attacks in the past year.

2/26/2020

Our quick guide to Data Storage and GDPR

Our quick guide to Data Storage and GDPR

Cybercrime is an ever-present danger today. UK businesses, in particular, have much to be concerned about.

The National Cyber Security Centre reports that 2017 was a landmark year with its increase in cyber-attacks on British firms. Meanwhile, the Cyber Security Breaches Survey 2019 found that 32% of businesses recorded security breaches or attacks in the past year.

Data breaches specifically are widespread and costly. Almost 90% of UK businesses were hit with data breaches between 2018-2019. A single breach on average costs UK enterprises $3.88 million (£2.98 million).

Due to a cybersecurity breach, AtomikResearch survey revealed that 33% of UK businesses say they lost customers, 34% say their reputation suffered, and 23% lost revenue.

There is no doubt about it. Data storage is an issue that any business owner should be informed about, lest they put their investments at risk. Directly related to this is the General Data Protection Regulation (GDPR). This guide will explain everything you need to know about both topics.

The Importance of Protecting Data

Businesses today collect personal data from their customers. Data collection is done for a number of reasons, such as for the improvement of products or smoother user experiences. Whatever the intention, the act of collecting customers’ personal data makes such businesses responsible for safeguarding that data.

Protecting data ties into the basic concept of respecting people’s privacy. Doing so builds trust between businesses and customers, which is critical to any company’s success.

Data protection also facilitates free trade and cooperation between businesses and organisations across international lines. With regulations like the GDPR in place, there is confidence in the idea that all parties have each other’s best interests in mind.

The Fundamentals of the GDPR

The GDPR is the main EU law regarding the processing of personal data for business or other non-household purposes. The only exemptions to this regulation are related to law enforcement and specific national security concerns.

While GDPR will technically no longer directly applies to the UK after it properly leaves the EU, it is still integrated into UK law under the European Union (Withdrawal) Act of 2018. It also applies to companies based outside the EU that process personal data of EU citizens, so UK companies that do business in the European Economic Area (EEA) will have to comply still.

As of this article’s writing, the GDPR works in tandem with the UK’s Data Protection Act 2018. The likelihood then is that most of the regulations around GDPR aren’t going anywhere for some time.

Definition of Terms

  1. Processing

Processing includes just about every action involved in handling data, such as:

  • Collecting
  • Recording
  • Using
  • Analysing
  • Combining
  • Disclosing
  • Deleting
  1. Personal Data

Personal data is any sort of data that can be used to identify and relate to a specific living person. This includes but is not limited to information such as:

  • Names
  • Identification numbers
    • National Insurance
    • Passport number
  • Location data
    • Home address
    • Mobile GPS data
  • Online identifiers
    • IP address
    • Cookies
  • Sensitive data
    • Genetic data
    • Biometrics
    • Health status
    • Ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Sexual orientation

Information that is inaccurate but relates to an identifiable individual can still be considered personal data. Persons, meanwhile, can be customers, employees, business partners, etc.

Data that can be accessed publicly still counts as personal data as long as it can identify a person. Data is also personal data even if it can only be used to indirectly identify a person.

Personal data must relate to an identifiable individual. It has to be about the individual or their activities. The purpose of processing their data must be relevant to the individual. The individual should also be affected by the processing of their data

Generally speaking, personal data is considered as such when it is digitally processed. Paper records have to be transferred to a computer or filed in an organised manner to count as personal data.

  1. Controllers and Processors

The GDPR places responsibility on controllers and processors of personal data.

Controllers decide the means and the purpose for collecting personal data. Companies are generally considered controllers, although individuals can be controllers as well in the case of sole traders.

Processors are separate entities that process personal data on behalf of controllers. Examples of processors are outsourced HR services, marketing agencies, and call centres.

Both are liable for personal data breaches, but controllers have greater legal obligations.

The GDPR is based on seven principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Controllers are responsible for complying with the GDPR and demonstrating compliance with all seven principles in mind.

For this specific article, we are focusing on the principles of storage limitation and integrity and confidentiality.

Storage Limitation

Personal data should only be kept in storage until it is no longer necessary for use in the specific purpose it was collected in the first place and for legal obligations such as tax laws and product warranties.

The only exceptions to storing personal data for longer than necessary is when you need to archive such data for public interest or for scientific or historical research. Personal data must also be accurate and kept updated.

With these in mind, your business must have a set time limit for when you need to delete or review the personal data you have stored. If your business has no more legitimate reason to process the data you have obtained, remove it from storage as soon as possible.

Integrity and Confidentiality

Processing personal data must be done securely. It must be protected from unauthorised or unlawful processing, accidental loss, destruction, or damage. Securing personal data must be done through appropriate technical and organisational measures. These measures include risk analysis, organisational policies, and data masking techniques such as encryption and pseudonymisation.

Such security measures must allow for restoring access and availability to personal data in a timely manner in case of incidents.

You are also obligated to apply processes to test your security measures and improve them to address any gaps.

Data Storage and Protection

A major factor in securing personal data is how you choose to store it. There are two main methods of storing data: on-premises and cloud-based.

Either method has its own set of benefits and drawbacks. Your decision rests on the costs your business can afford, how much risk you can deal with, how you can manage it, and how you can maintain business continuity.

1. On-premises Storage

Storing personal data on business premises is generally done in two ways. One is through paper records organised in a manual filing system, and the other is through storing digital records on a local device.

Personal data in on-premises storage can be accessed very quickly, especially without having to rely on internet speeds that can be inconsistent. The loss of third-party services like internet access and cloud storage solutions does not render your important data processing activities inoperable. You also have complete control over securing and managing your data.

The biggest problem of depending solely on on-premises storage is the greater risk of losing personal data if the storage devices are damaged or lost. Personal data that is lost and cannot be recovered will incur great penalties from the GDPR.

2. Cloud-based Storage

Personal data stored in the cloud is accessed externally through the internet, either in a private server like your IT provider’s data centre or a public server like Office 365 or Dropbox.

Cloud-based storage is less risky, as personal data is not just stored in one device. Recovering lost or damaged data is much more likely. There is more flexibility in data processing as well because data can be accessed outside of business premises.

It is also easier to budget for cloud-based storage, as third parties take care of management and maintenance. Reputable cloud solution providers offer strict GDPR compliance with their services, potentially saving you from spending too much on cybersecurity and data recovery if a breach were to ever happen.

Do remember that outsourcing data storage does not absolve your company (the controller) from the responsibility of protecting personal data. If you choose to store data in the cloud, you have to observe due diligence and know exactly how your provider is handling the data you’ve entrusted to them.

Store Your Data Securely

Savvy business owners take a hybrid approach to data storage, relying mainly on high-tech, high-security cloud solutions while maintaining local backups for added redundancy. This way, data protection and data are both achieved to address GDPR compliance and potential data breaches.

Since there’s no escaping the potential fines of GDPR non-compliance, it’s best that you have a strong data storage process in place. If you want to make sure your data backup, cyber security, and data recovery plans are up to par, give our expert IT team a call at 0117 369 4335.